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Amendmen t* Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the 

application: 



l Utingnf Claims: 

1 (Currently Amended) A computer architecture for an intrusion detection system, 
comprising: 

a control agent to interface with a management system and to monitor system activity; 
at least one data gathering component which gathers kernel audit data and syslog data; 
at least one correlator to interpret and analyzes the kernel audit data and the syslog data 

using at least one detection template* 

«*~~ n .t one of sai H «* one last one correlator uses event driven correlation 

services ha vin g an ECS engine core. 

2. (Original) The computer architecture of claim 1 , wherein said intrusion detection 
system is host-based. 

3. (Original) The computer architecture of claim 1, wherein said detection templates 
are configured into surveillance groups and into surveillance schedules. 

4. (Original) The computer architecture of claim 1, wherein said management 
system includes a graphical user interface. 

5. (Original) The computer architecture of claim 4, further comprising a 
communication agent which encrypts information sent from said intrusion detection system to 
said management station. 

6. (Original) The computer architecture of claim 1 , wherein there is low bandwidth 
connection between said control agent and each of said data gathering components and said at 
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least one correlator and a high bandwidth connection between said control agent and each said 
data gathering component and said correlator. 

7. (Original) The computer architecture of claim 1, wherein said correlator uses a 
meta-description language. 

8. (Original) The computer architecture of claim 1, wherein said high bandwidth 
connection is used to send and receive memory-mapped files. 

9. (Original) The computer architecture of claim 1, wherein said data gathering 
component includes a kernel audit record component and a syslog component. 

10. (Original) The computer architecture of claim 9, wherein said data gathering 
component and said syslog component convert gathered data into an ASCII format. 

1 1 . (Original) The computer architecture of claim 1 , further comprising a notification 
log and a response script connected to said control agent. 

12. (Original) The computer architecture of claim 1, further comprising an installed 
bits file connected to said control agent. 

Claim 13 (cancelled). 

14. (Original) The computer architecture of claim 1, wherein the management system 
controls more than one control agent each residing on a different computer. 

15. (Original) The computer architecture of claim 1, wherein said at least one 
template is selected from the group including: 

reading kernel records; 

reformatting each of the read kernel records into a different format; 

parsing the records and comparing the parsed records against one or more templates. 
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16. (Original) The computer architecture of claim 1, wherein said control agent 
communicates with said management system across a secure communications link. 

17. (Original) The computer architecture of claim 1 , wherein if the correlator detects 
an intrusion an alert will be sent to the management system and a potential intrusion alert record 
will be logged to a notification file. 

18. (Currently Amended) The computer architecture of claim 1, wherein said at least 
lest one data gathering component includes a buffer. 

19. (Original) A computer architecture for detecting intrusions, comprising: 
reading means for reading kernel records; 

reformatting means for reformatting each of the read kernel records into a different 

format; 

parsing means for parsing the records and comparing the parsed records against one or 
more templates. 

20. (Original) The computer architecture of claim 19, wherein the at least one 
template is selected from the group including: 

a modification of files/directories template; 
a change to log files template; 

a SetUID files template; 

a creation of world-writables template; 

a repeated failed logins template; 

a repeated failed SU commands template; 

a race conditions attack template; 

a buffer overflow attacks template; 

a modification of another user's file template; 

a monitor for the start of interactive sessions template; and 

a monitor logins/logouts template. 
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2l . (Currently Amended) A computer system, comprising: 

a processor; and stored therein sequences of 

parsing the records and companng the parsed 

22 currently Amended) The computer system of claim * W wherein the at 
M lest one template is selected from the group including: 
a modification of files/directories template; 
a change to log files template; 

a SetUID files template; 

a creation of world- writables template; 

a repeated failed logins template; 

a repeated failed SU commands template; 

a race conditions attack template; 

a buffer overflow attacks template; 
am odificationofanotheruser'sfiletemplate; 

a monitor for the start of interactive sessions template; and 

a monitor logins/logouts template. 

* of claim 22 wherein said event correlation services has 

23. (New) The computer system of claim 22, w 

an ECS engine core. 

♦ nf claim 22 wherein said ECS engine core uses a meta- 

24. (New) The computer system of claim 22, wn 

data language. 
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25 . (New) The computer system of claim 24, wherein a translator module converts audit 
records and other events into internal ECS event format structures. 

26. (New) The computer system of claim 23, wherein said ECS engine core operates 
using an event driven model. 
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